On Oct 21, 2013 3:21 PM, "Phillip Hallam-Baker" <[email protected]> wrote: >
> One of the issues that has been raised in the government world is how do we convince people looking in that the IETF spec have not been contaminated by some of the alleged $250 mil/yr being spent on such purposes. > > This is not a theoretical problem or even a new one, but it is one that has been ignored in the past and is now going to be very much harder to ignore. > I'm pretty sure I got "persuaded" into buggering some security in RFC3261 (sips: allowed to terminate at serving proxy rather than being e2e), at least to the extent of accepting and endorsing a flawed argument that I now believe would have made somebody's intercepts easier. Fortunately it turned out not to matter much (as the defacto deployment was "no security" rather than the piece I watered down), and it is now well-understood as an error. So it happens. Sometimes directly, sometimes indirectly as when your customer or client is influenced into influencing your standards work. I didn't even realize what it was when it happened to me, and I used to think I was pretty good at that game. Once burned, twice shy and all that. So I believe it can and does happen. Usually subtly, but I've also heard of much more overt instances. Fortunately hearsay is inadmissible. But we do have to be careful, and we really need to build up a system that anticipates and survives bad actors, even of the most deliberate sort. We live in a glass house, and people are now looking in. Rocks will be thrown. Wear your slippers and safety glasses. -- Dean
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
